How to Prevent and Remove Malware in WordPress

WordPress is now the most popular website management software, currently powering more than 70 million websites worldwide. Software by it's very nature is something that needs to be maintained, as new updates and patches become available. WordPress has been freely available since 2004 to create a website with, and versions remain online from 1.x to the most current (3.3.2).

From the very first version of WordPress, to the latest, there have been hundreds of updates available - some of which patch very big security holes. Over the last few years the term "malware" has been used in conjunction with WordPress websites that have been compromised (hacked) through one of these security holes. While malware is typically a term to describe a virus with a payload on a PC, the term is now more often used to describe a (WordPress) website that's been infected with SEO spam, or malicious scripts or code.

The best prevention for malware in WordPress is simply keeping it up to date. As new releases become available, perform the upgrade as soon as possible. In addition, also be sure that your installed theme and plugins are up to date as well.

Tips for Malware Prevention

While updating WordPress is great preventative medicine there are multiple additional things that you can do to further protect your website:

Remove old plugins: Be sure to remove any plugins that you aren't using (that are deactivated). Even unused plugins can be a security risk. Also, be sure to only leave installed plugins that have had an update within the last 12-18 months. If you're using plugins older than that, they may not be compatible with the latest version(s) of WordPress (or your theme) - and they could have security holes as well.

Review your theme: How old is your WordPress theme? If you purchased it from a developer, check and see if there is a recent update available for you to install. If you have a custom theme (or even one you coded yourself), be sure to have it reviewed by a competent developer or security expert about once per year to ensure it doesn't have security holes.

Security and Hardening: You should install and configure one or more popular WordPress plugins to secure and harden your website (beyond the 'out of the box' setup). While WordPress is a very mature and secure platform, you can easily add multiple additional layers of basic security by changing your admin username, the default WordPress table name, and security against 404 attacks and long malicious URL attempts.

Tips for Malware Removal

If you think your WordPress website has been hacked or injected with malware, malicious scripts, spam links, or code, the first thing you should do get a backup copy of your website (if you don't already have one). Get a copy of all files in your webhosting account downloaded to your local computer, as well as a copy of your database.

Next install one of the many free malware scanner plugins in the WordPress official free plugin repository. Activate it, and see if you can find the source of the infection. If you're a technical person, you might be able to remove the code or scripts on your own. Be sure to check all your theme files, and you might also need to reinstall WordPress.

If your WordPress core files are infected one of the best ways to remove the source of the infection is to delete the entire wp-admin and wp-includes folders (and contents) as well as all files in the root of your website. Inside the wp-content folder delete both the themes and plugins folders (keeping the uploads, which has attachments and images you've uploaded). Since you have a local copy of your website, you can reinstall the theme and you know what plugins were installed.

The best thing to do at this point is to download a fresh copy of WordPress and install it. Use the local copy of the wp-config.php file to connect to your existing database. Once you've done this, before reinstalling your theme and plugins you might want to login one time to your wp-admin dashboard and go to "Tools->export" and export and entire copy of all your content, comments, tags, categories, and authors. Now (if you want) at this point you could drop the entire database, create a new one, and import all your content so you'd have a completely fresh copy of both WordPress and a new database. Then last, reinstall your theme and fresh copies of all plugins from the official WordPress repository (don't use the local copies you downloaded).

If these steps are too technical for you, or if it didn't remove the source of the infection, you might need to enlist the help of a WordPress security expert.

Preventive Maintenance Moving Forward

If your website is important to you, or if you use it for business - it's important that you protect it as if it were your physical business. Would would happen if your website were down or out of commission tomorrow? Would it hurt your business? A little preventative medicine goes a long way:

Backup and Disaster Recovery Plan: Make sure you have a working and tested backup solution in place (this is what most businesses would call a disaster recovery plan). There are many free and paid plugins and solutions to accomplish this for a WordPress website.

Install Basic Security: If you don't have a WordPress security plugin installed, get a highly rated and recently updated one from the official free plugin repository today to protect your website. If you aren't comfortable doing this on your own or don't have a technical website person, then hire a WordPress consultant or security expert to do it for you.